Integration

Grant Suger the necessary permissions to manage your AWS Marketplace on your behalf, no more no less.

Overview

1. Visit the Integration page of suger console.

   

2. Click the button CONNECT and redirect to new browser tab. It will automatically start a AWS CloudFormation Stack on your AWS account to create an IAM role for Suger to access & manage your AWS Marketplace on your behalf.

3. Check the box of I acknowledge that ... and click button Create stack.

4. Wait for a few minutes, the AWS Marketplace integration status will be updated as VERIFIED.

   

Edit Integration

You can edit the integration to update the following fields:

• Enable Entitlement End Soon Notification: When enabled, specify the number of days (10-60) before an entitlement ends to trigger notifications. Suger will send an initial notification when AWS Marketplace entitlements approach ending, followed by reminders every 5 days. To configure recipients, follow the email notification configuration guide and add the scope END_SOON.ENTITLEMENT.

Delete Integration

The AWS integration can be deleted like all other integrations. Once the deletion icon is clicked & confirmed, the integration info will be deleted immediately & permanently from Suger. No time window or methods to recover.

Multiple Integrations

It is supported to have multiple AWS Marketplace integrations under the same Suger organization, with each integration operating independently. To set up multiple AWS Marketplace integrations, please follow the guidances below:

1. Create a new Suger organization in the Suger Console and wait for it to be approved.
2. In the newly approved Suger organization, set up a second AWS Marketplace integration.
3. Contact Suger Support with both the new and old Suger organization IDs. The support team will merge the two organizations—retaining the old one and deleting the new one—while preserving both AWS Marketplace integrations under the original/old Suger organization.

AWS IAM Policies

Here is the list of AWS managed policies included in the Suger Access IAM role.

Minimum-Permission Deployment (Optional)

The default CloudFormation template requests broad permissions — including iam:CreateRole, the events:* family, and the AWS-managed AWSMarketplaceFullAccess / AWSMarketplaceSellerFullAccess policies — so that Suger can automatically provision and maintain the IAM role, EventBridge rule, connection, and API destination required for AWS Marketplace event delivery. With the default template, no further manual work is needed on your side, and new AWS Marketplace capabilities are picked up automatically as we add support.

If your security team prefers a tighter blast radius, we recommend using a dedicated AWS seller account exclusively for the Suger integration. A dedicated account is the cleanest way to isolate Suger’s access from the rest of your AWS footprint and is what we suggest for most enterprise customers.

If a dedicated seller account is not an option, please contact Suger Support for a minimum-permission deployment package. We can provide a CloudFormation template scoped down to only the actions Suger needs at deploy time.

Manual EventBridge Setup

If your Suger Access IAM role does not grant iam:CreateRole / iam:CreatePolicy / iam:PutRolePolicy (for example, because you are running the minimum-permission template, or your security team disallows Suger from creating IAM resources on your behalf), Suger cannot auto-provision the IAM role and EventBridge resources required for Concurrent Agreements and other event-driven capabilities. In that case, deploy the standalone CloudFormation template below — under an AWS principal that does have IAM and EventBridge admin permissions — in the same AWS account and region as your AWS Marketplace listings. It creates the four resources Suger needs:

• An EventBridge Connection with API-key auth (header x-suger-api-key).
• An EventBridge API Destination pointing at ${Endpoint}/public/aws/eventbridge/webhook/orgId/${OrgId}.
• An IAM Role that lets EventBridge invoke the API Destination.
• An EventBridge Rule matching aws.marketplacecatalog and aws.agreement-marketplace events and routing them to the API Destination.

The template uses a -manual suffix on resource names so it will not collide with the resources that Suger normally auto-provisions.

Parameters

Template

AWSTemplateFormatVersion: '2010-09-09'
Description: Forward AWS Marketplace events to Suger via EventBridge API Destination

Parameters:
  AuthId:
    Type: String
    NoEcho: true
    Description: Suger API key value (sent as x-suger-api-key header)
  Endpoint:
    Type: String
    Description: Suger API base URL, e.g. https://api.suger.io
    AllowedPattern: ^https?://.+
  OrgId:
    Type: String
    Description: Suger organization ID
    AllowedPattern: ^[A-Za-z0-9-]+$

Resources:
  SugerMarketplaceConnection:
    Type: AWS::Events::Connection
    Properties:
      Name: aws-marketplace-event-connection-manual
      Description: API key auth for Suger event ingestion
      AuthorizationType: API_KEY
      AuthParameters:
        ApiKeyAuthParameters:
          ApiKeyName: x-suger-api-key
          ApiKeyValue: !Ref AuthId

  SugerMarketplaceApiDestination:
    Type: AWS::Events::ApiDestination
    Properties:
      Name: aws-marketplace-event-api-destination-manual
      Description: Suger marketplace event ingestion endpoint
      ConnectionArn: !GetAtt SugerMarketplaceConnection.Arn
      HttpMethod: POST
      InvocationEndpoint: !Sub '${Endpoint}/public/aws/eventbridge/webhook/orgId/${OrgId}'

  # Trust policy uses constructed rule ARN (not !GetAtt) to break the cycle
  # Rule.Targets -> InvokeRole -> Rule.
  SugerEventBridgeInvokeRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: event-bridge-iam-role-invoke-api-destination
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: sts:AssumeRole
            Condition:
              ArnEquals:
                aws:SourceArn:
                  !Sub 'arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/aws-marketplace-event-rule-webhook-manual'
      Policies:
        - PolicyName: event-bridge-iam-policy-invoke-api-destination
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: events:InvokeApiDestination
                Resource: !GetAtt SugerMarketplaceApiDestination.Arn

  SugerMarketplaceEventRule:
    Type: AWS::Events::Rule
    Properties:
      Name: aws-marketplace-event-rule-webhook-manual
      Description: Captures AWS Marketplace events and forwards to Suger
      State: ENABLED
      EventPattern:
        source:
          - aws.marketplacecatalog
          - aws.agreement-marketplace
      Tags:
        - Key: SugerVersion
          Value: '3'
      Targets:
        - Id: suger-api-destination
          Arn: !GetAtt SugerMarketplaceApiDestination.Arn
          RoleArn: !GetAtt SugerEventBridgeInvokeRole.Arn

Outputs:
  ConnectionArn:
    Description: EventBridge Connection ARN
    Value: !GetAtt SugerMarketplaceConnection.Arn
  ApiDestinationArn:
    Description: EventBridge API Destination ARN
    Value: !GetAtt SugerMarketplaceApiDestination.Arn
  EventRuleArn:
    Description: EventBridge Rule ARN
    Value: !GetAtt SugerMarketplaceEventRule.Arn
  InvokeRoleArn:
    Description: IAM Role ARN used by the rule to invoke the API Destination
    Value: !GetAtt SugerEventBridgeInvokeRole.Arn

Verify

1. Wait for the stack to reach CREATE_COMPLETE.
2. Trigger any AWS Marketplace action that emits an event (for example, publishing a change set or accepting a private offer).
3. Confirm the event is visible on the Suger Console under the AWS Marketplace integration’s recent activity.

If events do not appear within a few minutes, check the EventBridge rule’s Monitoring tab in the AWS Console for FailedInvocations and contact Suger Support with the failure details.

Cleanup

When you remove the AWS Marketplace integration from Suger, also delete this stack from CloudFormation (in us-east-1) to clean up the EventBridge Connection, API Destination, Rule, and IAM Role it provisioned. See Delete Integration for the standard cleanup steps.

Marketplace Commerce Analytics Service (MCAS)

The Commerce Analytics Service accesses the Amazon S3 bucket and Amazon SNS topic after you configure the service with the ARN for the topic and name of the bucket. To enable MCAS, please follow the steps below. For more details, see the documentation.

1. Log in to the AWS Marketplace Management Portal with the AWS account you use to manage your AWS Marketplace products.

2. Ensure you have the necessary IAM permissions to enroll in the AWS Marketplace Commerce Analytics Service.

3. Navigate to the Commerce Analytics Service enrollment page.

   • Select Use an existing IAM role

   • Select IAM role as the default MarketplaceCommerceAnalyticsRole

   • Set S3 bucket name suger-mcas-s3-bucket-{aws-account-id}

   • Set SNS topic ARN arn:aws:sns:us-east-1:{aws-account-id}:suger-mcas-sns-topic

   • Click the Enroll button

4. On the AWS Marketplace Management Portal, record the Role Name ARN in the success message.

Marketplace Data Feeds Service (MDFS)

To get the full structured, up-to-date product billing and customer information from AWS Marketplace, it is highly recommended to set up the Data Feeds Service. Follow the below steps:

1. Go to the Data Feed Configuration page.

2. Click Configure with Cloud Formation, a new page with stack template will be opened. Type in the Stack name with mp-data-feed (don’t change this name since it is recognized by Suger service), and the S3BucketName with an unique S3 name suger-mdfs-s3-bucket-{aws-account-id}. Then click button Create stack.

3. Once the upper Cloud Formation stack is ‘CREATE_COMPLETE’, find the S3 Bucket ARN (for example: arn:aws:s3:::suger-mdfs-s3-bucket-{aws-account-id}) and the KMS Key ARN (for example: arn:aws:kms:us-west-2:awsAccountId

   /keyId), and input them to the Data Feed Configuration page. Click buttion Submit.

4. Suger service take all the rest of setup and cron data sync pipeline.

FAQ

• My Security team asked about the need for a KMS access policy. How does Suger use KMS in our account?

  The KMS access is for MDFS integration, which syncs revenue data and buyer information (company name, address, and email domain).

  AWS requires all S3 buckets for marketplace revenue and buyer reports to be encrypted by a KMS key. This KMS key is created via the cloud formation template provided by AWS.

  More details can be found here.

  Suger doesn’t require general access to your KMS resources; it is only limited to the one related to the MDFS integration.

Set up Tax & Banking Info

AWS marketplace requires the seller/ISV to provide valid Tax & Banking Info before selling paid or BYOL (bring your own license) products. Please visit the setting page of your AWS marketplace management portal, and submit the tax information & banking information (to collect revenue from marketplace sales).

Tax Information

The following fields for tax information are required:

1. Federal tax classification. Most companies are C Corporation, and the others may be S Corporation, Partnership or Limited liability company.

2. Business Name and Business Address

3. EIN (Federal Employer Identification Number)

   

Banking Information

The following fields for banking information are required:

1. Bank account address, the address on your company bank account.

2. Bank account holder name, in most cases, it is your company legal name.

3. Routing Number

4. Account Number

   

FAQ

• Who do I receive the payment from?

  Payment will always be deposited into your registered bank account. To check your registered bank account, visit the Settings section on AMMP > Payment Information.

• How much listing/transaction fee does AWS take?

  Listing fees depend on the type of listing, TCV of the offer, and type of offer. The document below is an official document by AWS that covers the fee structure for all scenarios. https://docs.aws.amazon.com/marketplace/latest/userguide/listing-fees.html

• When is the customer billed?

  AWS bills the customer based on three ways:

  1. Date of subscription acceptance (upfront billing)
  2. Custom payment schedule (private offers built by flexible payment scheduler)
  3. Metered usage on the second and third day of the month for the prior month’s usage

• When will I receive money from AWS?

  Every customer has agreed to net payment terms with AWS, which are either net 30,45,60 or net 0 for credit cards. Once a customer receives the bill, they must pay the amount within the agreed terms.

  Every seller has a disbursement cycle, which can be set up under settings. There are two cycles: daily and monthly. You can receive the money as soon as the AWS receives it or on a specific date every month.

  To check your registered bank account, visit the Settings section on AMMP > Payment Information > Update Banking Information > Disbursement Preference.

• Do I need to charge and remit taxes separately?

  This depends on the buyer’s country. In countries such as the USA, where the marketplace is responsible for collecting and remitting taxes, this function will be handled by AWS itself. In other countries, such as France, the Seller must collect the tax manually.

  This video has all the details about taxes.

  This link has other details about taxes on different product types, countries supported, and the process.

• What should we do if there is a delay in receiving payments from AWS?

  You can create a ticket to AWS Support using this link.

• How to process refunds?

  You can process a full or partial refund to the buyer by clicking this link and submitting the form.

  You can request a refund even when the buyer has not yet paid the invoice. In the additional comments section, mention that the charges should be waived if they are unpaid.

• Can I invoice a customer in their currency?

  You will create private offers in Dollars ($) as a seller. AWS will, in turn, check the buyer’s currency based on the account ID and the payment settings and then bill them in their currency.

  AWS uses exchange rates published by Bloomberg every day. Here is the updated list of supported currencies.

• We have an offer that was accepted, but the payment transaction failed. Is there a way to reprocess the transaction?

  If a private offer acceptance fails due to an issue with the customer’s payment method/account, the customer can try accepting the same private offer again after it is fixed. This time, it should go through. The offer they initially accepted didn’t generate any entitlement because it wasn’t processed. They can use the same offer link to accept it again, and it should work this time.

• We have an offer that the customer has tried to accept three times, and we get an acceptance email and then immediately get a cancellation email. Is this a typical payment issue? Is there something that you’d advise us to tell the customers to solve this?

  There are three main reasons why an offer acceptance might fail:

  1. The person trying to accept the offer doesn’t have the proper permission to complete that transaction.
  2. Their credit card operator declined the transaction, or they have not correctly set up their account for payment.
  3. AWS can reject them from transacting if they have not paid their latest billing.

  Usually, it’s a problem with the customer’s credit card or with their payment account in general. You can contact the customer to have them help you verify the transaction.

  We recommend asking in the discovery if they are on an Invoice or Credit Card with AWS. If they are on a Credit Card, tell them they need to make sure that their Bank knows this transaction is about to be processed so that it does not get rejected, as often Credit Card companies will reject due to the size of the transaction as possible fraud.